Migration Design of RPD
From One Environment to the Other
Migration
of OBIEE RPD from one environment to the next can be simple, just copy the
RPD. But then one would have to manually open up the RPD afterwards in
the target environment to change connection pool information, maybe AD server
configuration and the list can go on. Pretty much each environment may
necessitate changes to the RPD for that specific environment. I
want to reduce these manual changes in the migration project and somehow automate
them. So I came up with a design that I have effectively deployed
that reduces manual intervention, automates the process and is more
secure than most design strategies I have seen, since the connection pool
passwords are all encrypted. I will share this design in hopes that it
will help others or give them ideas on their solution to their migration
process.
The
design requires a repository variable, UDML script, a service account to an
external table and a stand alone RPD. These will all be explained in
detail later. The basic flow is that when a migration is requested to
lets say DEV to QA we would just run a script. This script will take
DEV’s RPD and run the UDML script against it to generate the new target QA RPD
and move this new RPD over to the QA environment. The UDML script is used
to update the one repository variable (lets call it RPD_ENV) and the service
account’s connection pool password. The service account is used to get
the other connection pool passwords for the RPD based on the environment the
RPD is in, hence the RPD_ENV repository variable. An example of the UDML
script is as follows:
DECLARE CONNECTION POOL “SampleSales”.”Connection Pool” AS
“Connection Pool” UPGRADE ID 2150568163
DATA SOURCE {SAMPLESALES.WORLD}
TIME OUT 300
MAX CONNECTIONS 10
TYPE ‘OCI10G’
USER ‘SADMIN’
PASSWORD ‘D7EDED84BC624A917F5B462A4DCA05CDCE256EEEEEDC97D51B4C9E811F09E97D0E252362E1DD04A6AC4D07C3A079829F’
REQUIRE QUALIFIED TABLE NAME
SHARED LOGIN
CONNECTIONS TO SAME URI 10
OUTPUT TYPE XML
HEADER PATH {E:\\OracleBI\\server\\config\\NQSQueryHeader.xml}
TRAILER PATH {E:\\OracleBI\\server\\config\\NQSQueryTrailer.xml}
BULK INSERT BUFFER SIZE 32768 TRANSACTION BOUNDARY 10
TEMP TABLE PREFIX {TT} OWNER {}
PRIVILEGES ( READ);
DATA SOURCE {SAMPLESALES.WORLD}
TIME OUT 300
MAX CONNECTIONS 10
TYPE ‘OCI10G’
USER ‘SADMIN’
PASSWORD ‘D7EDED84BC624A917F5B462A4DCA05CDCE256EEEEEDC97D51B4C9E811F09E97D0E252362E1DD04A6AC4D07C3A079829F’
REQUIRE QUALIFIED TABLE NAME
SHARED LOGIN
CONNECTIONS TO SAME URI 10
OUTPUT TYPE XML
HEADER PATH {E:\\OracleBI\\server\\config\\NQSQueryHeader.xml}
TRAILER PATH {E:\\OracleBI\\server\\config\\NQSQueryTrailer.xml}
BULK INSERT BUFFER SIZE 32768 TRANSACTION BOUNDARY 10
TEMP TABLE PREFIX {TT} OWNER {}
PRIVILEGES ( READ);
DECLARE RP VARIABLE “RPD_ENV” AS “QA” UPGRADE ID 2150568180
EXPRESSION {‘SIEBEL’}
PRIVILEGES ( READ);
PRIVILEGES ( READ);
As
you can see the connection pool password is encrypted and the RPD_ENV
repository variable is being set to its target environment. For QAT to
PROD script, this UDML script would be modified so that the service accounts
password would reflect the production services password and RPD_ENV value to
“PROD”. ( This is taking into account that the service account uses the same
user id for logging in, if not this could also be changed in the line above the
password. ) Now the service account is pulling the passwords from an
external table in a database. The table that I used is simple and the DDL
(assuming using Oracle for the external table) is:
CREATE TABLE OBIEE_CONN_POOL(
“CONN_POOL” AS VARCHAR2(50),
“ENV” AS VARCHAR2(5),
“LOGIN” AS VARCHAR2(255)
)
“CONN_POOL” AS VARCHAR2(50),
“ENV” AS VARCHAR2(5),
“LOGIN” AS VARCHAR2(255)
)
CONN_POOL
is the connection pool, ENV is for the environment (values would be
‘DEV,’QA’,'PROD’ or any/all environments) and ‘LOGIN’ is for the password for
the connection pool. I named the password field something different as a
lot of DBA’s or compliance people are touchy on naming fields that would be
obvious in case of the db being compromised. This is just a simplistic
version of the table and can be modified to satisfy the projects needs.
So
I have explained the repository variable, the UDML script, with example, and
the service account’s use. So what is the stand alone RPD mentioned used
for? Well I created an RPD that is bare bones for the purpose of the
DBA(s) to enter the password for the service account. So the DBA would
enter the service account’s password within this RPD.
When finished we
would just have to copy the connection pool object and paste within
notepad. The result is the UDML for that connection with the password
encrypted. This way the DBA(s) are the only ones that know the service
account password and thus how to access that external table. So all
connection pool password(s) would be secure and guarded by the DBA(s). We
only have the encrypted password, which does not help us use it, unless of
course we know the encryption scheme OBIEE uses!:) In my case, the
service account password changes once a year.
So the DBA needs to update
the password in this stand alone RPD and then I need to get the encrypted
password in the process just discussed and replace the service accounts
password string within the UDML script. Also, the DBA(s) are the
administrators of that external table and keeping the table’s passwords in
synch when they change them.
A
quick note on this approach. In this approach, we have all the connection
pool passwords located on an external database. We use initialization
blocks to set dynamic repository variables with the passwords to be used in the
connection pools. So that the connection pools passwords get there value
from their respective repository variables, via VALUEOF(‘XXXX’)
function.
Since all connection pool passwords, except for the
service account, are now being retrieved and stored in repository variables
there is a security risk that the OBIEE admin or users can get the passwords
through the same VALUEOF() function (that is if they know the repository
variables.) There is no way, at least that I know, which allows me to add
security and permissions on variables within the RPD. Since this is a
security risk this needs to be looked at by the OBIEE architects to assess how
much of a risk this is.
A more secure approach then would be to house all
connection pools in that stand alone RPD where the DBA(s) set the password for
the service account. In this alternate approach, the DBA(s) will set all
the passwords in this RPD and then your UDML script will need to be modified to
add each connection pool in it along with the encrypted password retrieved from
this stand along RPD with the same copy and paste approach. This way the
passwords are 100% secure, to the best of OBIEE’s abilities. So when the
DB passwords change, the DBA(s) would need to modify and enter the new password
in the stand alone RPD and the UDML script will need to be changed each
time. This may and will add more administration, but is more secure.
Now
the main script used to run the migration can be in whatever scripting language
you choose. You may want to do pre and post work it is all up to the
project requirements. But to run the UDML script above use the following
command nqUDMLexec. This tool takes the source/input RPD, runs the specified
UDML script against it and results in a modified RPD specified from the output
repository location and name. The syntax of this command line is:
nQUDMLExec [-U [userid]] [-P [password]] -I
input_script_pathname [-B base_repository_pathname] -O
output_repository_pathname [-8] -8 is for UTF-8
Eg 1: nQUDMLExec -U Administrator -P Administrator -I testudml.txt -B DEV.rpd -O QA.rpd
Eg 1: nQUDMLExec -U Administrator -P Administrator -I testudml.txt -B DEV.rpd -O QA.rpd
No comments:
Post a Comment